Working with Site-to-Site VPNs
Site-to-site VPNs allow sites in different locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use managed device instead of VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrators to connect the sites. You can also use a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator at one site and a managed device at the other site.
Mobility Master supports the following IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. authentication methods for site-to-site VPNs:
IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. shared secret must be configured on both the local and remote sites.
The sameThe management MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the Mobility Master should be added as the peer MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address in the managed device to establish the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPSEC tunnel with the Mobility Master.For more information on configuring the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address for MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication, see the Configuring MAC Address for PSK Authenticationsection.
Managed devices support Suite-B cryptographic algorithms when the Advanced Cryptography license is installed. For more information, see Understanding Suite-B Encryption Licensing.
:RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. server certificate and a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for each site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map configuration. If you use certificate-based authentication, the peer must be identified by its certificate subject name, distinguished name (for deployments using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. ), or by the peer’s IP address (for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.). For more information about importing server and CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates into Mobility Master, see Management Access.
You can configure an
|
Certificate-based authentication is only supported for site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. between two managed devices with static IP addresses. IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. site-to-site tunnels cannot be created between a Mobility Master and managed device. |
Enable IP compression in an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map to reduce the size of data frames transmitted over a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. between 7200 Series or 7000 Series managed devices using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. authentication. IP compression can reduce the time required to transmit the frame across the network. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Lync or Voice traffic) is not compromised by increased latency or decreased throughput. IP compression is disabled by default.
Configuring MAC Address for PSK Authentication
On Mobility Master, you can configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device to be used for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication. The following procedure describes how to configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication:
1. In the node hierarchy, navigate to the .
2. Click under table.
3. Select from the drop-down list.
4. Enter the .
5. Enter the .
6. Retype the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. key.
7. Click .
8. Click .
9. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the managed device for PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication:
(host) [mynode] (config) #local-peer-mac 00:0c:29:00:00:00 ipsec 123456
You can configure the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication on the managed device.
Working with Third-Party Devices
Managed Devices can use IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. or IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. to establish a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with another managed device or third-party remote client devices. Devices running Microsoft® Windows 2008 can use Suite-B cryptographic algorithms and IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to support authentication using RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.. StrongSwan® 4.3 devices can use IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. to support authentication using RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. certificates, Suite-B cryptographic algorithms, and pre-shared keys. These two remote clients are tested to work with managed devices using Suite-B cryptographic algorithm.
Working with Site-to-Site VPNs with Dynamic IP Addresses
ArubaOS supports site-to-site VPNs with two statically addressed managed devices, or with one static and one dynamically addressed managed device. Two methods are supported to enable dynamically addressed peers:
managed device with a dynamic IP address must be configured as the initiator of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNs, while the managed device with a static IP address must be configured as the responder of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive mode. Note that when the managed device is operating in FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode, IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. aggressive mode must be disabled.
TheIPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. peers will identify each other using the subject name of X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. certificates. IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. operates in main mode when this option is selected. This method is preferred from a security standpoint.
Understanding VPN Topologies
You must configure VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. settings on the managed devices at both the local and remote sites. In the following figure, a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel connects Network A to Network B across the Internet.
Figure 1 Site-to-Site VPN Configuration Components
To configure the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel on managed device A, you must configure the following:
The source network (Network A)
The destination network (Network B)
The VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on which managed device A’s interface to the Layer-3 network is located (Interface A in Figure 1)
The peer gateway Gateway is a network node that allows traffic to flow in and out of the network., which is the IP address of managed device B’s interface to the Layer-3 network (Interface B in Figure 1)
Configuring Site-to-Site VPNs
The following procedure describes how to configure a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:
1. In the node hierarchy, navigate to the tab and expand .
2. In the section, click to open the section.
4. Select the check box so this configuration takes effect as soon as it is saved.
5. In the field, enter a priority level for the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.
6. Select a to specify whether the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. source, the local network connected to the managed device, is defined by an IP address or a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID.
If you selected netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the source network (see managed device A in Figure 1).
, enter the IP address andIf you selected VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID for the source network.
, click the drop-down list and select the7. In the and fields, enter the IP address and netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination, the remote network to which the local network communicates (see managed device B in Figure 1).
8. The parameter defines the lifetime of the security association in seconds and kilobytes. For seconds, the default value is 7200. To change this value, enter a value between 300 and 86400 seconds. Range: 1000–1000000000 kilobytes.
9. Click the drop-down list and select v1 to configure the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., or for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. .
10. (Optional) Click the drop-down list and select a predefined or custom IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy to apply to the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. For more information on default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies, see Table 1.
11. IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. site-to-site VPNs between Mobility Master and 7000 Series managed devices support traffic compression between those devices. Select the check box to enable compression for traffic in the site-to-site tunnel.
12. Select the check box to enable the authentication.
13. Select the containing the interface of the managed device that connects to the Layer-3 network (see Interface A in Figure 1).
This determines the source IP address used to initiate IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..
14. If you enable mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following modes:
768-bit Diffie–Hellman prime modulus group
1024-bit Diffie–Hellman prime modulus group
2048-bit Diffie–Hellman prime modulus group
256-bit random Diffie–Hellman ECP modulus group
384-bit random Diffie–Hellman ECP modulus group
15. Select the check box to establish the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection, even if there is no traffic being sent from the local network. If you do not select this, the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection is established only when traffic is sent from the local network to the remote network.
16. Select the check box if traffic between the networks is trusted. If you do not select this, traffic between the networks is untrusted.
|
Ensure that you always enable the option. The traffic cannot pass through if this option is disabled. |
17. Select the check box to enforce UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500 for IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. and IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.. This option is disabled by default.
18. Add one or more transform sets to be used by the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map. Click +, and select an existing transform set or create a new one. Then click to add that transform set to the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.
19. For site-to-site VPNs with dynamically addressed peers, select from the drop-down list.
a. From the drop-down list, select if the dynamically addressed switch is the initiator of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPNs, or select if the dynamically addressed switch is the responder for IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode.
b. In the field, enter a FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. for the managed device. If the managed device is defined as a dynamically addressed responder, you can select to make the managed device a responder for all VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. peers, or select and specify the FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. to make the managed device a responder for one specific initiator.
20. For that is , select one of the supported peer gateway Gateway is a network node that allows traffic to flow in and out of the network. types:
: Select this option to identify the remote end point of theFQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. across different branches. The FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. resolves to different IP addresses for each branch, based on its local DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. setting.
: This option allows you to use same21. Define the Peer Gateway Gateway is a network node that allows traffic to flow in and out of the network. using an IP address or FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet..
If you use IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to establish a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for a statically addressed remote peer and selected in the previous step, enter the IP address of the interface used by the remote peer to connect to the L3 network in the field (see Interface B in Figure 1).
If you are configuring an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map for a dynamically addressed remote peer, and selected in the previous step, leave the set to its default value of 0.0.0.0.
If you selected gateway Gateway is a network node that allows traffic to flow in and out of the network. type in the previous step, enter the fully qualified domain name for the remote peer.
as the peer22. Select one of the following authentication types:
a. For PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. authentication, select , select the , then enter a shared secret in the and fields. This authentication type is generally required in IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. maps for a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with dynamically addressed peers, but can also be used for a static site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two..
b. For certificate authentication, select , then click the and drop-down lists to select certificates previously imported into the managed device. See Management Access for more information. Enter the .
|
To identify the subject name of a peer certificate, issue the following command in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.: |
23. Click .
24. Click .
25. In the window, select the check box and click .
26. Click the or section (match the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. version that you selected in Step 9) to configure an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy.
a. Under , click to open the configuration page.
b. Set the to 1 for this configuration to take priority over the Default setting.
c. Select the check box so the configuration takes effect as soon as it is saved.
d. Set the from the drop-down list
e. Set the from the drop-down list.
f. Set the to if you use pre-shared keys. If you use certificate-based IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard., select or .
g. Set the from the drop-down list.
h. Set the to define the lifetime of the security association in seconds. The default value is 28800 seconds. To change this value, enter a value between 300 and 86400 seconds.
i. The IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy selections, including any PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. , must be reflected in the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client configuration. When using a third-party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client, set the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. configuration on clients to match the choices made above. If you use the Aruba dialer, you must configure the dialer prior to downloading the dialer onto the local client.
j. Click .
k. Click .
l. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with two static IP managed devices using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.:
(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>
src-net <ipaddr> <mask>
dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>
peer-ip <ipaddr>
vlan <ipsec-map-vlan-id>
version {v1|v2}
peer-cert-dn <peer-dn>
pre-connect {enable|disable}
trusted enable
|
The trusted <disable> sub-parameter is not supported on the managed device. You must always use the trusted <enable> sub-parameter so that the traffic can pass through. |
For certificate authentication:
set ca-certificate <cacert-name>
set server-certificate <cert-name>
(host) [mynode] (config) #crypto isakmp policy <priority>
encryption {3DES|AES128|AES192|AES256|DES}
version {v1|v2}
authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}}
group {1|2|14|19|20}
hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}
lifetime <seconds>
(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}
address <peer-address> netmask <mask>
(host) [mynode] (config) #crypto isakmp policy <priority>
encryption {3DES|AES128|AES192|AES256|DES}
version {v1|v2}
authentication {pre-share|rsa-sig|ecdsa-256|ecdsa-384}}
group {1|2|14|19|20}
hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}
lifetime <seconds>
To configure site-to-site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with a static and dynamically addressed managed device that initiates IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:
(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name> <ipsec-map-number>
src-net <ipaddr> <mask>
dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>
peer-ip <ipaddr>
local-fqdn <local_id_fqdn>
vlan <ipsec-map-vlan-id>
pre-connect {enable|disable}
trusted enable
For the Pre-shared-key:
(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}
address <peer-address> netmask 255.255.255.255
For a static IP managed device that responds to IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.:
(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name 2> <ipsec-map-number>
src-net <ipaddr> <mask>
dst-net <ipsec-map-dst-net> <ipsec-map-dst-mask>
peer-ip 0.0.0.0
peer-fqdn fqdn-id <peer_id_fqdn>
vlan <ipsec-map-vlan-id>
trusted enable
For the Pre-shared-key:
(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}
fqdn <ike-id-fqdn>
For a static IP managed device that responds to IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Aggressive-mode for Site-Site VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. with one PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. for All FQDNs:
(host) [mynode] (config) #crypto-local ipsec-map <ipsec-map-name 2> <ipsec-map-number>
src-net <ipaddr> <mask>
peer-ip 0.0.0.0
peer-fqdn any-fqdn
vlan <ipsec-map-vlan-id>
trusted enable
For the Pre-shared-key for All FQDNs:
(host) [mynode] (config) #crypto-local isakmp {key <keystring>|key-hex <keystring>}
fqdn-any
Supporting Null Encryption for IKEv1
Starting from ArubaOS 8.1.0.0, XLP-based controllers are supported with null encryption for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. as an encryption algorithm. This helps in reducing the load on the local router for internet destined traffic.
Null encryption does not increase the security of traffic routed but is used only to imply that no encryption method is used over a particular transmission. Null Encryption can now be configured as an encryption algorithm in transform set, which can be used in any crypto map.
|
Since null encryption is supported only for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., it should be used only for crypto maps with version 1. |
The following procedure describes how to configure a new transformation set with null encryption as the encryption algorithm:
1. In the node hierarchy, navigate to the tab.
2. Expand .
3. In the table, click to access the section.
4. Click in the field.
5. Select the option in the window.
6. Select from the drop-down list.
7. Click .
8. Click .
9. In the window, select the check box and click .
The following procedure describes how to add the transformation set in the crypto map created:
1. In the node hierarchy, navigate to the tab.
2. Click accordion.
3. In the table, click to access the section.
4. Click in the field.
5. Select the option in the window.
6. Select an existing transform and click .
7. Click .
8. Click .
9. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a new transformation set with null encryption as the encryption algorithm:
(host) [mynode] (config) #crypto ipsec transform-set test esp-null esp-sha-hmac
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands add the transformation set in the crypto map created:
(host) [mynode] (config) #crypto-local ipsec-map test_map 500
(host) [mynode] (config-ipsec-map) #set transform-set test
Adding ANY-ANY Crypto Map
Starting from ArubaOS 8.1.0.0, any-any selectors are negotiated in IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. to enable the option of having numerous tunnels. After pre-connect flag is enabled for IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. triggers the tunnel to the peer ip and proposes any-any traffic selector.
PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. can also be configured to send specific or all traffic on to the ipsec map and can be applied to any vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., port, or user role.
|
Policy Based Routing is required for any-any traffic selector and is supported only for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.. Data traffic trigger is not supported in ArubaOS 8.1.0.0. |
The following procedure describes how to enable crypto map to allow any any traffic selector:
1. In the node hierarchy, navigate to the tab.
2. Click accordion.
3. In the table, click to access the section.
4. Enter a .
5. Select from the drop-down list.
6. Select from the drop-down list.
7. Click .
8. Click .
9. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable crypto map to allow any any traffic selector:
(host) [mynode] (config-ipsec-map)# src-net any
(host) [mynode] (config-ipsec-map)# dst-net any
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. to send all or specific traffic onto the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map:
(host) [mynode] (config) #ip access-list route ipsec-pbr
(host) [mynode] (config-route-ipsec-pbr)#any any any route ipsec-map <ipsec-map-name>
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands apply PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. to vlan Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., port, or user role:
(host) [mynode] (config) #interface vlan <id>
(host) [mynode] (config-subif) #ip access-group <name> in
Dead Peer Detection
DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. is enabled by default on the managed device for site-to-site VPNs. DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. , as described in RFC Request For Comments. RFC is a commonly used format for the Internet standards documentss. 3706, “A Traffic-Based Method of Detecting Dead IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Peers,” uses IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. traffic patterns to minimize the number of IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. messages required to determine the liveliness of an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. peer.
After a dead peer is detected, the managed device tears down the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. session. Once the network path or other failure condition has been corrected, a new IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. session is automatically re-established.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures DPD Dead Peer Detection. A method used by the network devices to detect the availability of the peer devices. parameters:
(host) [mynode] (config) #crypto-local isakmp dpd idle-timeout <idle_sec> retry-timeout <retry_sec> retry-attempts <retry_number>
About Default IKE Policies
ArubaOS includes the following default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies. These policies are predefined, but can be edited and deleted. You can do this in the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. by using the and commands, or the WebUI by navigating to . To delete an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy, select an existing policy and click the trash icon to delete the policy.